The problem of insider threat is one of the most vexing problems for computer security research. We will present an overview of an ongoing collaborative project aimed at understanding human behavior and the insider threat. The organizations involved include Carnegie Mellon University, Columbia University, Cornell University, Dartmouth College, Indiana University, MITRE Corporation, Purdue University, and the RAND Corporation. Two primary objectives serve to focus and integrate the proposed research activities: technology exploration and environmental constraints. The first objective addresses the need for base technologies to monitor insider behavior, coupled with behavioral descriptions of suspicious, inappropriate or illegitimate events or activities. The second objective addresses the need for a methodological framework for handling incipient and actual insider behavior once it is recognized.
In this talk we describe some of the ongoing research at Columbia that aims to develop technology and monitoring functions that will provide a lightweight, robust, and scalable event processing infrastructure that can be deployed in a range of at risk enterprises (e.g. the U.S. military, banks, chemical plants and refineries, and border and port security systems). Our work involves the implementation of host-based sensors that detect unusual user behavior indicative of insider attack. We present an overview of prior work on masquerade detection and our most recent work to incorporate context and infer intent to more accurately identify potential insider attack. We also detail our current work on network based decoy traffic and detection of misuse of honeytokens, purposely placed, realistic-looking decoy data designed to entice traitors into revealing their nefarious actions.
Salvatore J. Stolfo is Professor of Computer Science at Columbia University. He received his Ph.D. from NYU Courant Institute in 1979 and has been on the faculty of Columbia ever since. (See http://www.cs.columbia.edu/~sal). He has published well over 160 formal scientific papers in the areas of parallel computing, AI knowledge-based systems, data mining, computer security and intrusion and anomaly detection systems. His most recent research has been devoted to distributed data mining systems with applications to fraud and intrusion detection in network information systems. (See http://www.cs.columbia.edu/ids.) He has been awarded 15 patents in the areas of parallel computing and database inference, internet privacy, intrusion detection and computer security.
He served as the Chairman of the Computer Science Department and the Director of the Center for Advanced Technology at Columbia University. He recently co-chaired several workshops in data mining, intrusion detection and the Digital Government and co-chaired the program committee of the ACM SIGKDD 2000 Conference and organized two recent workshops sponsored by NSF, ARO and the Department of the Treasury in the area of computer security and insider attack threats. He is a member of three editorial boards and a reviewer for many of the most prestigious journals in computer security, as well as a member of several program committees for the top conferences in the area. He was also an expert witness in the DOJ versus Microsoft "browser wars" case. He was a member the Congressional Internet Caucus Advisory Committee, and Visa 3D Secure Authenticated Internet Payments Vendor Program. He was a consultant to the CTO of Citicorp for several years, and helped organize the Financial Services Technology Consortium. He is a board member and treasurer of a private organization of Professionals for Cyber Defense. Recently, he has participated in a DARPA ISAT study, served as a consultant to the director of the DARPA IPTO office as a member of the DARPA Futures Panel and is a member of the National Academies National Research Council / Naval Studies Board (NSB) Committee on Information Assurance for Network- Centric Naval Forces.
